Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c0ddab9c4c8f0b03d9f1f471c3883b1fd95eb7a7
https://github.com/WebKit/WebKit/commit/c0ddab9c4c8f0b03d9f1f471c3883b1fd95eb7a7
Author: David Degazio <d_dega...@apple.com>
Date: 2023-12-15 (Fri, 15 Dec 2023)
Changed paths:
A JSTests/stress/ClassInfo-across-structure-transition.js
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Load compact ClassInfo from structure correctly in FTL
https://bugs.webkit.org/show_bug.cgi?id=263356
rdar://115494572
Reviewed by Mark Lam.
Currently, FTL assumes loading the m_classInfo from a structure is a
loadPtr on all platforms - this is not the case, since ClassInfo is
represented as a 32-bit CompactPtr<ClassInfo> on platforms with 36-bit
addresses. As a result, when loading the ClassInfo in some FTL nodes, it
results in a junk value with the lower bits being the unshifted ClassInfo
address, and the upper bits being taken erroneously from
m_transitionPropertyName. This patch introduces a new loadCompactPtr()
helper to FTLLowerDFGToB3 that correctly loads and shifts compact pointer
fields, which in current FTL is just Structure.m_classInfo.
* JSTests/stress/ClassInfo-across-structure-transition.js: Added.
(calling):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
(JSC::FTL::DFG::LowerDFGToB3::compileFunctionToString):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Originally-landed-as: 267815.353@safari-7617-branch (20234c667f25).
rdar://119597685
Canonical link: https://commits.webkit.org/272160@main
Commit: b600073ca93043073733879f37051cec72c99811
https://github.com/WebKit/WebKit/commit/b600073ca93043073733879f37051cec72c99811
Author: Chris Dumez <cdu...@apple.com>
Date: 2023-12-15 (Fri, 15 Dec 2023)
Changed paths:
A LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash-expected.txt
A LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash.html
M Source/WebCore/html/HTMLPlugInImageElement.cpp
Log Message:
-----------
Assertion hit under Document::dispatchPagehideEvent()
https://bugs.webkit.org/show_bug.cgi?id=263204
rdar://116715579
Reviewed by Ryosuke Niwa.
Delay the load if we're not allowed to run script right now. Scheduling a load
will
cancel / stop any pending load, which may cause events to be fired and script
to run.
The synchronous code path is kept when we're allowed to run script to avoid
breaking
tests such as:
-
imported/w3c/web-platform-tests/css/css-writing-modes/abs-pos-non-replaced-icb-vlr-*.xht
-
imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/sandbox_004.htm
- imported/blink/svg/dom/viewspec-*.html
- fast/css/acid2.html
* LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash-expected.txt: Added.
* LayoutTests/fast/dom/HTMLObjectElement/updateWidget-crash.html: Added.
* Source/WebCore/html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::requestObject):
Originally-landed-as: 267815.354@safari-7617-branch (c34793cc5793).
rdar://119597568
Canonical link: https://commits.webkit.org/272161@main
Commit: 7b97f35198fd00c74cd21c039e4e56c9f5a1876f
https://github.com/WebKit/WebKit/commit/7b97f35198fd00c74cd21c039e4e56c9f5a1876f
Author: Dan Glastonbury <d...@apple.com>
Date: 2023-12-15 (Fri, 15 Dec 2023)
Changed paths:
M Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp
Log Message:
-----------
[ANGLE] Clear pending program linking in Context::onDestroy
rdar://116661298
Reviewed by Kimmo Kinnunen.
When destroying Context, ANGLE resets any internal state before releasing
allocated objects, such as Programs and Shaders. When destroying a program, any
pending program linking is resolved via Program::resolveLink. This results in
trying to access the Context state that’s just been reset, leading to a nullptr
access.
To work around this, we ensure there are no pending links before resetting the
Context state.
* Source/ThirdParty/ANGLE/src/libANGLE/Context.cpp:
(gl::Context::onDestroy):
* Tools/TestWebKitAPI/Tests/WebCore/cocoa/TestGraphicsContextGLCocoa.mm:
(TestWebKitAPI::TEST_F):
Originally-landed-as: 267815.356@safari-7617-branch (d32cd290f021).
rdar://119597554
Canonical link: https://commits.webkit.org/272162@main
Commit: ecb7da686a5066eea209b6f4b2b6dcddbd0d551f
https://github.com/WebKit/WebKit/commit/ecb7da686a5066eea209b6f4b2b6dcddbd0d551f
Author: Keith Miller <keith_mil...@apple.com>
Date: 2023-12-15 (Fri, 15 Dec 2023)
Changed paths:
A JSTests/stress/array-iterator-to-this.js
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp
Log Message:
-----------
Array iterator creation intrinsics need ToThis
https://bugs.webkit.org/show_bug.cgi?id=263408
rdar://113898245
Reviewed by Yusuke Suzuki.
Currently, we don't ToThis the 'this' value when we intrinsicify
the various Array iterator creation functions, which we should.
This patch also changes `clobbersExitState` to say exit state
is not clobbered if a node only writes to `HeapObjectCount`.
Our previous behavior was overly conservative, which caused
assertion failures as the `ToObject` following the `ToThis`
would get converted to a `Check(Object)` when exit was invalid.
* JSTests/stress/array-iterator-to-this.js: Added.
(opt):
(main):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
Originally-landed-as: 267815.357@safari-7617-branch (ae764a813e03).
rdar://119597428
Canonical link: https://commits.webkit.org/272163@main
Compare: https://github.com/WebKit/WebKit/compare/41991eb66a3b...ecb7da686a50
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
